HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for Breach Notification

planThe Office of the National Coordinator (ONC) released the revised “Guide to Privacy and Security of Electronic Health Information” April 13 to help organizations integrate federal health information privacy and security requirements.

The guide is geared toward HIPAA covered entities and Medicare eligible professionals from smaller organizations. The updated version features information about compliance with the privacy and security requirements of CMS’ Electronic Health Record (EHR) Incentive Programs as well as compliance with HIPAA Privacy, Security, and Breach Notification Rules.

The guide covers such topics as:

  • Increasing patient trust through privacy and security
  • Provider responsibilities under HIPAA
  • Health information rights of patients
  • Security patient information in EHRs
  • Meaningful Use core objectives that address privacy and security
  • A seven-step approach for implementing a security management process
  • Breach notification and HIPAA enforcement

security (2)Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com.

Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:

  • Names
  • Addresses
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Social Security numbers
  • Member identification numbers
  • Medical claims numbers
  • Some bank account information

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.

However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.

At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.

Categories : Breach Notification
Comments (0)

computerHackers gained access to the email accounts of employees at St. Mary’s Health in Evansville, Indiana, by uncovering their usernames and passwords. The hack exposed the PHI of nearly 4,400 St. Mary’s patients, according to a breach notice.

What’s more, some have speculated that St. Mary’s may have violated the HIPAA Breach Notification Rule as it appears it did not notify individuals of the breach within 60 days of initial discovery. On December 3, 2014, St. Mary’s learned that its employees’ usernames and passwords were compromised. After launching an investigation, the healthcare facility discovered January 8 that the compromised email accounts contained patient PHI. St. Mary’s posted a breach notification letter on its website March 5 stating that it would also notify affected individuals by mail and alert media outlets.

PHI linked to the compromised email accounts included:

  • Names
  • Dates of birth
  • Gender
  • Dates of service
  • Insurance information
  • Limited health information
  • Some Social Security numbers
Categories : Breach Notification
Comments (0)

security (2)Hackers gained unauthorized access to Anthem’s information technology system and exposed the PHI of more than 80 million people who are currently or were previously covered by the insurance provider.

Kate Borten, CISSP, CISM, founder of The Marblehead Group in Marblehead, Massachusetts, notes that the breach appears to be related to multiple security vulnerabilities. Successful spear phishing attacks permitted unauthorized access and network protocols were likely outdated, says Borten.

Much can be learned by simply looking at the way Anthem reacted to the breach and began its breach notification process.

“They had a plan, they reacted quickly, they were on top of it,” says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon. “That’s something that I can’t say for many healthcare organizations.”

Having an incident response plan in place proves valuable regardless of the size of an organization or a breach, he says. This must be regularly tested and retested to ensure employees are aware of the plan and how the plan works so updates can be made, if necessary.

Although it is important to have an incident response plan in place, the Anthem breach highlights the fact that organizations need more to ensure PHI is secure, says Mac McMillan, FHIMSS, CISSM, co-founder and chief executive officer of CynergisTek, Inc., in Austin, Texas.

“Healthcare organizations have to invest in technology and services that enhance their detection capabilities,” McMillan says. “The bottom line we need to spend more attention on making it harder for hackers to exploit our enterprises and exfiltrate data.”

Stay tuned for the April issue of Briefings on HIPAA for more reactions to the breach.

Comments (0)

securitycomputerA password-protected unencrypted laptop containing the PHI of approximately 8,000 patients was reported missing from Riverside County Regional Medical Center in Moreno Valley, California, according to The Press Enterprise.

A breach notification letter sent to affected patients states that the medical center learned December 1, 2014, about the missing laptop that was used by its ophthalmology and dermatology clinics. This is the second time in less than a year that the medical center reported a missing laptop, according to The Press Enterprise.

The medical center notified law enforcement and began its own internal investigation, but was unable to find the laptop at the time of the January 29, 2015 letter, which states that the laptop may have contained the following patient information:

  • Names
  • Addresses
  • Dates of birth
  • Telephone numbers
  • Social Security numbers
  • Treating physician or department
  • Diagnosis and treatment information
  • Medical record number
  • Medical service code
  • Health insurance information

The medical center does not believe the laptop was taken in an effort to access or misuse patient information. However, it is offering identity protection alerts for affected patients, according to the letter.

Comments (0)